1. Field of the Invention
The present invention relates generally to web services, and more particularly to program code for identifying stored vulnerabilities in a web service.
2. Description of the Related Art
Web services are an important building block in web architectures. Specifically, web services provide remote services to remote clients, thereby enabling online retrieval and processing of data in web applications and other web services. The rapid increase in the popularity of web services also makes them the target of a growing number of security attacks, which has led to the development of specialized testing tools for security vulnerabilities in web services.
For example, it is known for black-box security tools, such as IBM Security AppScan Standard and Enterprise Edition, to have scanning capabilities specific to web services. However, the black-box security tools are currently limited to identifying reflected injection attacks (i.e., reflected security vulnerabilities), where the tool submits an input containing a test payload, and validates whether the test succeeded based on the response from the web service.
In addition to reflected security vulnerabilities, there are persistent stored vulnerabilities, wherein the test payload does not directly flow into the response corresponding to an enclosing web service request, instead arrives at some persistent storage (e.g., a file or a database). The payload is later read due to another web service request, which triggers the inclusion of the payload in the response corresponding to the enclosing web service request.
Identifying stored vulnerabilities via black-box security tools can be challenging, because the security tools scanning a software application for stored vulnerabilities may not be aware of the internal components of the software application. The lack of awareness of the internal components of the software application makes it difficult for the security tools to identify web service request sequences capable of exposing stored vulnerabilities. Furthermore, the lack of awareness of the internal components of the software application makes it difficult to identify input parameters that trigger such sequences. As a result, current black-box scanners may not identify certain stored vulnerabilities in web services.